Bug 47628

Summary: openssh: Multiple issues (4.2)
Product: UCS Reporter: Quality Assurance <qa>
Component: Security updatesAssignee: Quality Assurance <qa>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P3    
Version: UCS 4.2   
Target Milestone: UCS 4.2-4-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Description Quality Assurance univentionstaff 2018-08-22 10:19:08 CEST 
New Debian openssh 1:6.7p1-5+deb8u5A~4.2.4.201808221019 fixes:
This update addresses the following issue:
* User enumeration via malformed packets in authentication requests (CVE-2018-15473)
Comment 1 Quality Assurance univentionstaff 2018-08-22 14:14:47 CEST 
--- mirror/ftp/4.2/unmaintained/4.2-4/source/openssh_6.7p1-5+deb8u4A~4.2.4.201805071556.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/openssh_6.7p1-5+deb8u5A~4.2.4.201808221019.dsc
@@ -1,9 +1,15 @@
-1:6.7p1-5+deb8u4A~4.2.4.201805071556 [Mon, 07 May 2018 16:00:34 +0200] Univention builddaemon <buildd@univention.de>:
+1:6.7p1-5+deb8u5A~4.2.4.201808221019 [Wed, 22 Aug 2018 10:19:17 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     CVE-2015-5352
     CVE-2015-5600-1
     CVE-2015-5600-2
+
+1:6.7p1-5+deb8u5 [Tue, 21 Aug 2018 18:04:27 +0100] Chris Lamb <lamby@debian.org>:
+
+  * CVE-2018-15473: Prevent a user enumeration vulnerability by delaying the
+    bailout for invalid authenticating users until after the packet containing
+    the request has been fully parsed. (closes: #906236)
 
 1:6.7p1-5+deb8u4 [Sat, 18 Nov 2017 10:56:29 +0000] Colin Watson <cjwatson@debian.org>:
 

<http://10.200.17.11/4.2-4/#3961379882662141592>
Comment 2 Philipp Hahn univentionstaff 2018-08-22 14:35:50 CEST 
OK: yaml
OK: errata-announce
OK: patch
OK: piuparts

[4.2-4] 9de43ed1d8 Bug #47628: openssh 1:6.7p1-5+deb8u5A~4.2.4.201808221019
 doc/errata/staging/openssh.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

[4.2-4] 0067499213 Bug #47628: openssh 1:6.7p1-5+deb8u5A~4.2.4.201808221019
 doc/errata/staging/openssh.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-29 13:42:58 CEST 
<http://errata.software-univention.de/ucs/4.2/499.html>